Public Last Mile auto-fill vulnerability

September 21, 2017

Impact: On May 7 2015 we were made aware of a vulnerability in the Dynatrace Synthetic Monitoring Last Mile network. The vulnerability allows a user running the Last Mile peer to collect form-values (Autofill values) entered by some Firefox tests. While our Last Mile peer software deletes all cached information before/after a test the vulnerability exposed a way of copying cached information during test execution for longer running tests.

Dynatrace deployed a solution to this vulnerability on the evening of Saturday May 9 2015 (CMR-779). The fix prevents the Last Mile browser from caching any form-values during test execution and disables all screen shot mechanisms in the Public Last Mile.

Solution: The recommendation for running transactions on the Public Last Mile network is to monitoring accounts with limited/appropriate access for any Synthetic test script. Also, use the encryption feature in the Recorder for any “FormFill” script actions that enter website UserID and password information.